1022349 – Allow opendmarc to bind to a port

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1022349 - Allow opendmarc to bind to a port

Summary: Allow opendmarc to bind to a port

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	opendkim
Sub Component:
Version:	19
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Steve Jenkins
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	905304
TreeView+	depends on / blocked

Reported:	2013-10-23 06:23 UTC by Adam Williamson
Modified:	2015-01-08 20:55 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-01-08 20:55:29 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2013-10-23 06:23:34 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=905304#c41

OpenDMARC is being added to Fedora; in testing it, I found selinux-policy-targeted blocks it from binding to a port, which it needs to do. By default it's configured to bind to port 8893.

Oct 22 22:16:45 mail.happyassassin.net kernel: type=1400 audit(1382505405.071:12314): avc:  denied  { name_bind } for  pid=31163 comm="opendmarc" src=8893 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
Oct 22 22:16:45 mail.happyassassin.net opendmarc[31163]: OpenDMARC Filter: Unable to bind to port inet:8893@localhost: Permission denied
Oct 22 22:16:45 mail.happyassassin.net opendmarc[31163]: OpenDMARC Filter: Unable to create listening socket on conn inet:8893@localhost
Oct 22 22:16:45 mail.happyassassin.net opendmarc[31163]: smfi_opensocket() failed
Oct 22 22:16:45 mail.happyassassin.net opendmarc[31161]: Starting OpenDMARC Milter: opendmarc: smfi_opensocket() failed
Oct 22 22:16:45 mail.happyassassin.net opendmarc[31161]: [FAILED]

Comment 1 Adam Williamson 2013-10-23 23:47:12 UTC

Also found this. opendmarc.conf has a IgnoreHosts setting which works precisely like opendkim's TrustedHosts setting - you specify a file containing a list of IPs, IP ranges and/or domains whose mail you want to 'trust' (i.e. not run a DMARC check for). If I create /etc/opendmarc/IgnoreHosts , make it owned by opendmarc.opendmarc, and add:

IgnoreHosts /etc/opendmarc/IgnoreHosts

to /etc/opendmarc.conf , then the service fails to start with an AVC:

[64911.109988] type=1400 audit(1382571679.326:491): avc:  denied  { dac_override } for  pid=13650 comm="opendmarc" capability=1  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
[64911.109994] type=1400 audit(1382571679.326:492): avc:  denied  { dac_read_search } for  pid=13650 comm="opendmarc" capability=2  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability

audit2allow suggests:

#============= dkim_milter_t ==============
allow dkim_milter_t self:capability { dac_read_search dac_override };

but I'm not sure that's a correct solution.

Comment 2 Miroslav Grepl 2013-10-24 12:45:03 UTC

avc:  denied  { name_bind } for  pid=31163 comm="opendmarc" src=8893 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

has been added.

commit 5ae73645e46927969192ef6987c970e2782d4a4b
Author: Miroslav Grepl <mgrepl>
Date:   Wed Oct 23 10:26:30 2013 +0200

    Add tcp/8893 as milter port

Comment 3 Miroslav Grepl 2013-10-24 12:45:33 UTC

Lukas, could you back port it.

Comment 4 Miroslav Grepl 2013-10-24 12:48:11 UTC

(In reply to Adam Williamson from comment #1)
> Also found this. opendmarc.conf has a IgnoreHosts setting which works
> precisely like opendkim's TrustedHosts setting - you specify a file
> containing a list of IPs, IP ranges and/or domains whose mail you want to
> 'trust' (i.e. not run a DMARC check for). If I create
> /etc/opendmarc/IgnoreHosts , make it owned by opendmarc.opendmarc, and add:
> 
> IgnoreHosts /etc/opendmarc/IgnoreHosts
> 
> to /etc/opendmarc.conf , then the service fails to start with an AVC:
> 
> [64911.109988] type=1400 audit(1382571679.326:491): avc:  denied  {
> dac_override } for  pid=13650 comm="opendmarc" capability=1 
> scontext=system_u:system_r:dkim_milter_t:s0
> tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
> [64911.109994] type=1400 audit(1382571679.326:492): avc:  denied  {
> dac_read_search } for  pid=13650 comm="opendmarc" capability=2 
> scontext=system_u:system_r:dkim_milter_t:s0
> tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
> 
> audit2allow suggests:
> 
> #============= dkim_milter_t ==============
> allow dkim_milter_t self:capability { dac_read_search dac_override };
> 
> but I'm not sure that's a correct solution.

I don't see UID info from AVC msg. Could you paste full info. Basically I believe it runs as root.

Comment 5 Lukas Vrabec 2013-10-24 14:09:40 UTC

back ported.

Comment 6 Adam Williamson 2013-10-24 18:33:30 UTC

mgrepl: According to ps, it's running as 'opendmarc':

[adamw@mail ~]$ ps aux | grep dmarc
opendma+ 13675  0.0  0.0 185072   936 ?        Ssl  Oct23   0:00 /usr/sbin/opendmarc -c /etc/opendmarc.conf -P /var/run/opendmarc/opendmarc.pid

I don't see any other AVC stuff besides the two lines I quoted, from dmesg or journalctl:

Oct 23 16:41:19 mail.happyassassin.net sudo[13645]: adamw : TTY=pts/1 ; PWD=/etc/opendmarc ; USER=root ; COMMAND=/usr/bin/systemctl restart opendmarc.service
Oct 23 16:41:19 mail.happyassassin.net systemd[1]: Starting LSB: Start and stop OpenDMARC...
Oct 23 16:41:19 mail.happyassassin.net kernel: type=1400 audit(1382571679.326:491): avc:  denied  { dac_override } for  pid=13650 comm="opendmarc" capability=1  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
Oct 23 16:41:19 mail.happyassassin.net kernel: type=1400 audit(1382571679.326:492): avc:  denied  { dac_read_search } for  pid=13650 comm="opendmarc" capability=2  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
Oct 23 16:41:19 mail.happyassassin.net opendmarc[13648]: Starting OpenDMARC Milter: opendmarc: can't load ignore list from /etc/opendmarc/IgnoreHosts: Permission denied
Oct 23 16:41:19 mail.happyassassin.net opendmarc[13648]: [FAILED]
Oct 23 16:41:19 mail.happyassassin.net systemd[1]: opendmarc.service: control process exited, code=exited status=1

Comment 7 Adam Williamson 2013-10-24 18:35:01 UTC

lukas: I believe it's planned to build OpenDMARC for EL6 and F18+, so we'd need the fix in selinux policy for all those releases - thanks!

Comment 8 Miroslav Grepl 2013-10-25 06:38:20 UTC

Adam,
could you turn on full auditing?

# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
# service auditd restart

an re-test. Thank you.

The port fix has been also added to EL6.

Comment 9 Lukas Vrabec 2013-10-25 08:18:25 UTC

Back ported also to F18.

Comment 10 Derek Atkins 2013-12-09 15:48:01 UTC

What is the status of this issue?

Comment 11 Adam Williamson 2014-06-16 22:31:22 UTC

The issue I reported with IgnoreHosts is still valid. I forgot about mgrepl's request, finally did it now. Here's what I get:

type=DAEMON_START msg=audit(1402957701.257:2684): auditd start, ver=2.3.6 format=raw kernel=3.14.5-100.fc19.x86_64 auid=4294967295 pid=14100 subj=system_u:system_r:auditd_t:s0 res=success
type=AVC msg=audit(1402957723.950:5076): avc:  denied  { dac_override } for  pid=14115 comm="opendmarc" capability=1  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
type=AVC msg=audit(1402957723.950:5076): avc:  denied  { dac_read_search } for  pid=14115 comm="opendmarc" capability=2  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
type=SYSCALL msg=audit(1402957723.950:5076): arch=c000003e syscall=2 success=no exit=-13 a0=ce02f0 a1=0 a2=1b6 a3=0 items=1 ppid=14114 pid=14115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=CWD msg=audit(1402957723.950:5076):  cwd="/"
type=PATH msg=audit(1402957723.950:5076): item=0 name="/etc/opendmarc/IgnoreHosts" inode=667266 dev=fc:03 mode=0100640 ouid=494 ogid=493 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
type=SERVICE_START msg=audit(1402957723.960:5077): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="opendmarc" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

this may also be useful:

[root@mail adamw]# ls -lZ /etc/opendmarc/IgnoreHosts 
-rw-r-----. opendmarc opendmarc unconfined_u:object_r:etc_t:s0   /etc/opendmarc/IgnoreHosts

Comment 12 Daniel Walsh 2014-06-17 20:49:33 UTC

If you change the permissions to

644 or group to root, this AVC will go away.

Comment 13 Matt Domsch 2014-10-01 14:20:55 UTC

Adam, I'll add /etc/opendmarc to the list of directories owned by the opendmarc package.  How does this look?

drwxr-xr-x    2 opendmaropendmar                    0 Oct  1 09:16 /etc/opendmarc
-rw-r--r--    1 root    root                    12336 Oct  1 09:16 /etc/opendmarc.conf

Comment 14 Adam Williamson 2014-10-16 00:39:35 UTC

I'm unclear on the rationale for one being owned by opendmarc and the other being owned by root, but I guess it looks OK? Sorry, I've sort of lost track of this issue, been focusing on other things lately.

Comment 15 Adam Williamson 2015-01-08 20:55:29 UTC

Well, I think it makes sense to close this report at this point, the requested change was made some time ago and the follow-up was something else.

Note You need to log in before you can comment on or make changes to this bug.